Mozilla and Firefox Flaws

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in gzip, Mozilla and Firefox, OpenOffice.org,
the FreeBSD kernel, Ethereal, TCPDump, libTIFF, Smail, Apache2's htdigest, and SCO
UnixWare's chroot.

gzip

gzip and gunzip are reported to be vulnerable to a race-condition-based attack
during the setting of file permissions. They also have a bug in the way filenames
are handled. The zgrep utility is reported to not properly deal with command-line arguments. Successfully exploiting these vulnerabilities could result
in arbitrary files being overwritten, permissions being changed, or possibly,
in arbitrary commands being executed.

All users should watch their vendors for a repaired version of gzip and related
tools.

Mozilla and Firefox

Several bugs and flaws in the Mozilla and Firefox web browsers have been announced
recently. Examples of these bugs and flaws include: a web site could define
a favicon as JavaScript and execute code when it is retrieved; and under some
conditions; pop-up windows could be opened with increased permissions that could
be abused to install and execute arbitrary code with the victim's permissions.

All users of Mozilla or Firefox should watch their vendors for a repaired version
of their browser.

OpenOffice.org

A buffer overflow in the StgCompObjStream::Load() function of OpenOffice.org
may be exploitable, under some conditions, to execute arbitrary code with the
permissions of the user running OpenOffice. The buffer overflow can be triggered
when the victim opens a carefully crafted .doc file with OpenOffice.org. The
buffer overflow affects version 1.1.4 and earlier and version 2.0beta and earlier.

It is recommended that all users of OpenOffice.org upgrade to version 1.9.95
when it becomes available or apply the currently available patch for version
1.1.4. Beta users should upgrade to the latest beta release. All users should exercise care when opening files from untrusted sources.

FreeBSD Kernel

Problems in the i386_get_ldt() function in the FreeBSD kernel may, under some
conditions, be exploitable by a local user to view unauthorized pieces of kernel
memory. This kernel memory could contain sensitive information such as user
passwords.

User should upgrade to the latest version of the FreeBSD branch they are using.

Ethereal

Ethereal is an open source network sniffer that can inspect and dissect more
than 600 network protocols. A buffer overflow in the SIP dissector
is vulnerable to a remote attacker who sends a carefully crafted packet that
is processed by Ethereal either directly from the network it is monitoring, or
by processing a file recorded earlier. A program to automate the exploitation
of this vulnerability has been released to the public.

It is strongly recommended that users upgrade to Ethereal version 0.10.11
or newer as soon as possible.

TCPDump

The network sniffer TCPDump is reported to be vulnerable several to denial-of-service attacks based on bugs in the code TCPDump uses to handle ISIS, BGP,
LDP, and RSVP packets.

Users should watch their vendors for an updated version of TCPDump.

libTIFF

libTIFF is a programming library that provides support for reading and manipulating
Tag Image File Format (TIFF) images. A bug in the library may be exploitable
by an attacker who creates a carefully crafted TIFF image with a malformed
BitsPerSample tag that the victim views with any application linked with the
libTIFF library.

Smail

The mail transport agent Smail is vulnerable to a buffer overflow that may
be exploitable under certain conditions by a remote attacker to execute arbitrary
code with root permissions. This buffer overflow affects version 3.2.0.120
of Smail and earlier. Code to automate the exploitation of this buffer overflow
on some platforms has been released to the public.

Affected users should watch their vendors for a repaired version.

Apache 2 htdigest

The htdigest utility distributed with Apache 2 is reported to be vulnerable
to a buffer-overflow-based attack. The buffer overflow is reported to be in
code that handles the user and realm arguments. In most cases, this buffer overflow
is not exploitable for any gain in permissions. An example of a vulnerable
system would be one where the htdigest utility is executable from a CGI script.
A remote attacker could then exploit the buffer overflow and execute code with
the permissions of the user account running the web server. htdigest is used
to create and update the files used in digest authentication of HTTP users.

Affected users should disable the htdigest utility or prevent it from being
executed by a remote user until it has been repaired.

SCO UnixWare chroot

SCO has announced a vulnerability in UnixWare's chroot jail that can be exploited
by an attacker to escape the restrictions of chroot. No details were provided
by SCO other than the vulnerability affects SCO's OpenServer 5.0.6 and 5.0.7.

SCO has released a patch for OpenServer 5.0.6 and 5.0.7.

GnuTLS

The GNU project's GnuTLS library provides support for the TLS 1.0 and SSL
3.0 protocols. A bug in the record-packet-parsing functionality of the GnuTLS
library may be exploitable by an attacker in a denial-of-service attack against
an application linked with the library. There is also a bug reported in the
RSA key export code.